logon optimization for xendesktop and xenapp

WHITE PAPER | Logon Optimization i Optimization Guide: User Logon Understanding and Optimizing the Logon Process for XenApp and XenDesktop

Upload: cash-sly

Post on 12-Nov-2014




1 download


Page 1: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Optimization Guide: User Logon

Understanding and Optimizing the Logon Process for XenApp

and XenDesktop

Page 2: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Table of Contents Introduction .......................................................................................................................................... 1 Logon Process ...................................................................................................................................... 1 Common Causes of Logon Delays ....................................................................................................... 4

Logon & Authentication Issues ............................................................................................................................................... 4 Profile Issues ............................................................................................................................................................................... 5 GPO Processing and Logon Script Issues ............................................................................................................................. 7 Desktop and Application Issues .............................................................................................................................................. 9 Hardware and Networking Issues .......................................................................................................................................... 10

Troubleshooting Tools ........................................................................................................................ 12 Optimizing the Logon Process ........................................................................................................... 19

Profile Load ............................................................................................................................................................................... 19 GPO and Logon Script Processing ....................................................................................................................................... 24 XenApp Optimizations ........................................................................................................................................................... 27 Summary .................................................................................................................................................................................... 29

Appendix ............................................................................................................................................. 30 References............................................................................................................................................ 31

Page 3: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization



The logon process for users accessing virtual desktops as delivered through Citrix XenDesktop or virtual applications as delivered through Citrix XenApp involves a variety of communication checkpoints and component interaction. Depending on the user environment and access location there can be an array of Citrix, Microsoft and possibly third-party components involved in the logon process. In order to optimize user productivity and enhance the overall virtual application and desktop experience, Citrix Consulting developed this white paper specifically focused on the logon process, common cause for logon delays and optimizations for improving the amount of time required to execute the logon process.

For an administrator to assess the logon process within their respective environment, the administrator must ensure that they have a detailed understanding of the logon process. This paper outlines the logon process for XenApp and XenDesktop, with a particular focus on identifying those key areas that commonly slow down the logon process. Each step of the logon process and each piece of component communication is outline in detail. With a solid understanding of the logon process, the reader is then introduced to the common causes of logon delays. This section provides a high-level aggregate of the logon delays that Citrix Consultants have encountered on customer engagements.

The common causes of logon delays serve as a high-level checklist that provide administrators with a reference point for investigating logon delays within their environment, but there is typically a need for quantifiable metrics to help guide an administrator through the process of determining which environment modifications and troubleshooting tools can be used to validate the delays to prove that modifications to the environment improved the actual logon times. The Citrix Consulting Solution Center team drilled into some of the common causes of logon delays to provide tangible metrics that can be referenced in any XenApp and XenDesktop environments. This whitepaper details the results and methodology of the Citrix Consulting Solution Center testing with a focus on the four modifications that had the most significant impact to the logon times:

The size of the user profile has the biggest impact on logon times, so the type of profile used is an important consideration.

Logon scripts completed faster when they are applied using Group Policy Objects rather than the logon script field at the Active Directory user level.

Logon performance improves when fewer Group Policies are applied. Merge GPOs when possible instead of having multiple GPOs.

XenApp 6.5 applications configured for Pre-Launch have demonstrated 60%-65% improvement in logon times.

Lastly, this documentation should be used as a reference and any modifications or changes to an environment should be validated in a test environment before implementing into production.

Page 4: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Logon Process

In order to better understand where time can be shaved from the user logon, we will first review the logon process as shown below: Please note that this diagram focuses on internal users accessing either a XenApp or XenDesktop resource. Additional steps are required based on external access via Access Gateway.

Web Interface



RDS/TS License Server

File Server

1. Request ICA File

4. Return Generated ICA File

2. Request Best Server

3. Return Response

5. Connect to Given Server/Desktop

6. Confirm RDS/TS License


Citrix License Server

9. Confirm Citrix License8a. Find Profile

8b. Download Roaming Profile

7. Authenticateto AD

Figure 1: XenApp/XenDesktop Logon Process

Step XenApp XenDesktop

1 User requests a connection to a desktop or application. Users initiate the process by launching an application or desktop through the Citrix client, a shortcut create by Receiver, or a link on Web Interface.

Page 5: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


2 Web Interface queries the XenApp Zone Data Collector (ZDC). The Web Interface passes the request to the appropriate controller, along with authentication and user information.

Web Interface queries the XenDesktop Controller (XDC). The Web Interface passes the request to the appropriate controller, along with authentication and user information.

3 ZDC returns best server information. Using load information, available servers, zone preferences and access rights, the controller server returns the best server for the user to access.

XDC returns best desktop information. Using available desktop and access rights, the controller server returns the best desktop for the user to access. If necessary, the XDC will start a desktop at this time.

4 Web Interface generates an ICA file. Using the provided information from the controller server, the user and local web configuration settings, the WI server generates a small session initiation file and passes it to the client.

5 User connects to XenApp server. A connection is initiated with the given server or desktop. During the handshaking process, the client and the server determine encryption levels and other capabilities

User connects to XenDesktop desktop. A connection is initiated with the given server or desktop. During the handshaking process, the client and the server determine encryption levels and other capabilities

6 Remote Desktop Services/Terminal Services Licenses are verified. The XenApp server validates that RDS/TS licenses are available.

7 User is authenticated against Active Directory. Credentials passed to the XenApp server or XenDesktop are confirmed against AD, and checked to see if the user has access to the server / desktop.

8 User Profile is downloaded. The server or desktop will check to see whether a copy of the roaming profile exists, and then if it does not or if the roaming profile on the profile store is newer, it will download the roaming profile from the remote server. Other profile solutions may operate at the same time, or may activate at a later step.

9 Citrix licenses are verified. For whichever Citrix products are being used, appropriate licenses are verified, and an appropriate error message is displayed if licenses are not available.

Page 6: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


10 GPOs are applied. The server or desktop then queries Active Directory for user-specific GPOs and applies them to the operating system. Any additional GPO extensions are then applied as well, such as folder redirection or security policies, followed by any applications stated in the GPO. Anything specified in the “run” registry key is executed, then any specified user logon scripts are run to update the operating system.

11 Citrix Policies Applied. Any remaining policy actions, such as mapping drives, session and auto-created printers or other policy configurations are applied at this point.

12 Startup menu applications executed. Any applications or scripts in the users “Startup” folder are executed.

Table 1: XenApp/XenDesktop Logon Process

Common Causes of Logon Delays

There are many issues that cause significant delays in logons – this portion of the paper will investigate some of the more common ones and provide suggestions on how to identify and mitigate them. Issues can result from misconfigurations, network issues, hardware overutilization, resource-intensive programs or scripts, corrupt profiles, or a number of other causes. Overloaded network or hardware can cause any or all steps in the process to increase in length, or even fail completely.

Figure 2: Logon Process

Logon & Authentication Issues

Authentication is an often overlooked piece of the logon puzzle. In an environment with an overloaded or inaccessible domain controller, this can have a dramatic impact on logon times. In most environments, authentication happens at multiple steps, including logging on to Web Interface or the Receiver authenticating and connecting to the actual desktop or server. Additionally, applications themselves may also authenticate to Active Directory, adding significant additional time to any application startup if the AD server is unresponsive.

Page 7: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Common Issue Description Mitigation

Overloaded Active Directory

Several authentication steps occur during the logon and launch process, with multiple communications to Active Directory. With an overloaded AD, this can lead to additional time required to log on.

Ensure the servers running Active Directory have enough resources to handle the load.

Unavailable Active Directory Server

Authentication processes may try connecting to the Active Directory server for up to 30 seconds before failing over to a secondary, adding additional time to logon.

Ensure XenApp and XenDesktop servers can contact the primary AD server and that the AD server has high uptime.

Slow authentication Authentication takes several seconds or longer to complete. This is commonly encountered at multi-site organizations that do not have domain controllers at remote offices.

Review the AD topology. Ensure that enough domain controllers are placed strategically to facilitate the authentication process.

Table 2: Common Authentication Issues

Profile Issues

Profiles are one of the most significant causes of logon times in most organizations. This can either be due to size (file size or number) or connection issues to the profile store (generally a file share, though some third-party solutions may utilize databases). Several types of Microsoft profiles exist: local, roaming, mandatory, as well as many third-party solutions. The most common profile options available when implementing XenApp or XenDesktop, and their benefits and disadvantages include:

Profile Type Benefits Disadvantages

Local Profile Fast logon when local profile is cached Consumes local disk on server

Not consistent across servers and sessions

Susceptible to profile bloating

Roaming Profile Consistency across servers and sessions

User settings and profile changes are saved across sessions

Slow logon

Susceptible to profile corruption

Susceptible to profile bloating

Page 8: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Mandatory Profile Consistency across servers and sessions

Not susceptible to profile bloating

Fast logon

User settings and profile changes are not saved across sessions

Table 3: Common Profile Types

Mandatory, though simplest to maintain, is not feasible in many environments, so a third-party solution (like Citrix Profile Management, AppSense Environment Manager or Liquidware ProfileUnity) may represent the best option. Some of these third-party profile solutions, including Citrix Profile Management, offer the ability to “stream” the profile rather than loading it in its entirety on startup, which can greatly reduce overall logon time. Citrix Profile Management 4.1 can also improve logon performance by allowing administrators to exclude certain data from the user profile.

This section will primarily focus on roaming, as this is one of the most common profile configurations with XenApp and XenDesktop deployments. However Citrix Profile Management 4.1 will also be addressed in the section covering optimizing profile load times.

Without proper management and configuration, roaming profiles can easily grow to a large size, either in terms of file size or number, and both can cause delays in logons (for example, a large number of cookies add noticeable time to a logon, even if the total file size is minimal). To reduce the size of roaming profiles, Microsoft and Citrix recommend redirecting almost all user folders, such as Desktop and Documents, to a file share. The one exclusion is AppData, as the contents of this folder can be heavily utilized by some applications and may cause perceived sluggishness if data retrieval must cross the network. Additionally, if business requirements permit, some folders (such as Internet History) can be ignored altogether, reducing both network traffic and profile size.

However, roaming profiles are subject to the “last write wins” issue, wherein only the last session settings are saved and interim settings are overwritten. In an environment where users can be connected to multiple sessions, such as is the case when multiple XenApp and/or XenDesktop sessions are open, this can cause some settings to be overwritten or increase the chances of the profile becoming corrupted. In a Windows 2008 R2 AD environment, GPOs can be applied to allow for interim writes, which could reduce profile corruption issues.

Additionally, network bandwidth and connection issues can greatly impact logon times due to profiles. If the user profile repository is unavailable, by default the session will try to connect to the designated user profile for up to 30 seconds. If unable to connect, the server can either refuse to allow access to the session (the default), or grant the user a default local profile. Generally, the former option is recommended as it will allow issues to be recognized more quickly, but in some environments giving the user a default profile creates a better user experience and more availability if the file share is unavailable.

Finally, it is notable that regular roaming and mandatory profiles can be distinct from Terminal Services/Remote Desktop Services profiles. TS/RDS profiles, if enabled, will only apply to Terminal Server-based connections though they will act similarly to normal roaming profiles. If both are enabled in the environment, it is important to troubleshoot the right set of profiles.

For third-party profile solutions, please see the Citrix Ready website.

Page 9: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Common Issue Description Mitigation

Large Profile Profiles need to be downloaded on each logon, and un-optimized profiles can grow to hundreds of megabytes or thousands of files. Either size or quantity of files in a roaming profile can increase the download size.

Redirect most user folders to a network share (Desktop, Documents) or ignore folders if allowable by the business (Cookies & History).

Corrupt Profiles If a user commonly opens up multiple sessions, this increases the chances of developing corrupt roaming profiles.

With Windows Server 2008 R2 Active Directory, enable interim roaming profile writes. Alternatively, use a third-party profile solution that manages multiple sessions more appropriately.

Unavailable Profile Store The profile store is unavailable, resulting in a logon delay and possibly default user settings or an inability to connect.

Ensure the profile store is highly available.

Overloaded Profile Store The server hosting the profile store has either too many users connecting, or may not be optimized as a file server, causing delays in delivering roaming profiles.

Optimize the server for file sharing, ensure the hardware (including disks and network) can handle the necessary load, and distribute to multiple servers if necessary.

Table 4: Common Profile Issues

GPO Processing and Logon Script Issues

GPOs and logon scripts can have a large impact on start time. Some of the common ways that GPOs increase logon times include:

Numerous GPOs, rather than a few large ones

Large numbers of access control rewrites on folders and files

Long-running scripts

o Slow or resource-intensive startup scripts (for example, those that move large numbers of files)

o Inefficient loops in scripts

o Nested calls to different scripts

Large numbers of mapped drives

Page 10: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Large numbers of network printers

Unused GPO sections (Computer/User) are not disabled

Numerous XenApp/XenDesktop policies

Discovering whether GPOs and/or logon scripts are causing delays can be a time-consuming process if not using an analysis tool such as EdgeSight (see the Optimizing the Logon Process section). Identifying whether GPOs or startup scripts are causing issues can be accomplished by moving a XenApp server or XenDesktop into an organizational unit (OU) with no policies and blocked inheritance, and login with a test user account that has no policies applied. The difference between this logon and normal logon time is caused by actions performed by the GPOs applied and/or the startup scripts, excluding those in the Startup folder of the server or base desktop image.

Another common cause of delays is mapping large numbers of printers, whether via GPO or from the client. Some users may have dozens of printers mapped on their client device, which by default will be mapped on the XenApp server or XenDesktop VDA as well. Setting a GPO or Citrix Policy setting to either map only the default client printer (or none!) or to not wait for printers to be created to start the session can greatly speed up the logon time for these kinds of users. If the latter is the method chosen (on by default), printers will be mapped in the background as the user starts working on the application, though it may mean that printers are not available for several seconds after logon.

Reducing the number of processes, services and applications that startup upon login can speed up the logon process, as each of these requested by the GPO, scripts, the “Run” registry key or items in the Startup menu folder can add time to logons.

Common Issue Description Mitigation

Access Control Rewrites Having GPOs that heavily rewrite access to files and folders on boot can have a significant impact on logon times.

Optimize access control to reduce number of required changes. Use AD groups and build permissions into base image.

Many GPOs Merging GPOs takes additional time and adds load to the AD server.

Merge GPOs where possible, so that only several larger GPOs exist, instead of hundreds of small ones.

Long Running Logon Scripts

Some scripts may complete a lot of actions, including calls to other scripts, long loops, mapping network drives, and others.

Optimize and merge logon scripts where possible. Windows Server 2008 introduced Group Policy Preferences, which when used can reduce or in some cases eliminate the need for logon scripts. When not using Group Policy Preferences, assign logon scripts to users via GPOs rather than the AD User Account property setting.

Page 11: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Printer/Driver Mappings Having many printer and driver mappings can increase logon time.

Reduce the number of required printer and drive mappings where possible, and ensure that client printer mapping is allowed to occur after logon in XenApp.

Table 5: Common GPO and Logon Script issues

Desktop and Application Issues

There are some additional factors that affect logon time. For XenDesktop, having available machines ready for assignment can greatly reduce logon times, as powering on a machine can add significant time to a logon. Additionally, disabling unnecessary services and startup programs can help reduce the time required for the machine to power on, if business reasons dictate it is impossible to have the machine pre-powered.

The applications themselves should not be ignored – if they are slow to start up, launching them within a XenApp or XenDesktop session will not inherently add or reduce startup time. Users will perceive this as part of the logon process, but it actually occurs after the steps are completed. It may be possible to optimize the application itself by ensuring that connections it makes to backend database servers or file shares are expeditious, or by optimizing the application itself. Additional logon screens may also create delays that increase the amount of time before users can actually start working.

XenApp 6.5 introduces a new feature Application Pre-Launch to speed up the application startup process. Application Pre-Launch automatically starts an application session when a user logs into Citrix Receiver. The session does not appear until the user launches the application. The application load time is reduced since the session was already started when the user logged on to Citrix Receiver. Be aware that when configuring an application for Pre-Launch, a XenApp license is consumed since the application is launched, regardless if the user initiates a connection to the application or not. For more information on configuring Application Pre-Launch for XenApp 6.5, please refer to CTX130793.

Another option for speeding up the application launch process is to configure applications with Anonymous access. By configuring applications to start anonymously, the client authentication process is eliminated, which speeds up the application start process. However there is a tradeoff to consider. Administrators lose the ability to control access to the application, Workspace Control is not supported, and user-specific settings are not retained once the session ends.

Common Issue Description Mitigation

Backend Database or File share is Slow

If backend resources for an application are over-utilized, this can affect startup times and performance of the application.

Ensure backend resources are not being used beyond their current capacity.

Application is Slow to Launch, Even Locally

If an application is slow to launch outside of XenApp/XenDesktop, it will likely still be slow on XenApp XenDesktop as well.

Contact the application’s support team to see if there are ways to optimize the startup process.

Page 12: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Desktop Takes a Long Time to Startup

If desktops are not powered on when the user accesses their desktop, some time will be required for the desktop to boot and be ready for login.

Prepare the system to have powered on desktops for users when they are expected to be used, if possible. Additionally, optimize the startup process by disabling or delaying services and applications that are scheduled to run at power on.

Additional Logon Screens Appear

Some applications require additional authentication steps.

Using a single sign on application will reduce the frustration and time required for end users to start working.

Table 6: Common Application Issues

Hardware and Networking Issues

Networking issues, generally related to misconfigured DNS settings or poor routing, can cause significant delays as requests are passed to incorrect locations and have to wait for timeouts. Symptoms that may indicate network problems include intermittently long logon times, dropped packets during pings, errors in the event log indicating failures to contact the Domain Controller or resolve local domain and machine names. These issues are generally some of the most difficult to troubleshoot because they may be the result of hardware issues or software misconfigurations and may occur intermittently to various groups of users. For example, if one DNS entry (such as the profile store) is incorrect in a round-robin configuration, then users will only occasionally experience delays as the service tries to find the target server, fails, and requests the next IP on the list.

Common Issue Description Mitigation

Inaccurate DNS Records Inaccurate DNS records can greatly increase logon times by directing processes to the wrong location. Often times, in round-robin configurations, these issues may be intermittent or only cause delays rather than failing obviously.

Ensure all mapped IP addresses for hostnames are correct, or use IP addresses in configurations.

Insufficient Network Bandwidth or Poor Quality

During peak times, network bandwidth may not be enough to handle the load required by all activities, or quality of the connection may result in dropped packets, resulting in high retransmits and throttled TCP/IP connections.

Monitor connection points, dropped packets, retransmits and client latency to servers to ensure quality connections.

Table 7: Common Networking Issues

Page 13: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Having any major component running at or over capacity can increase logon times as well. Components that can be overloaded include: the Domain Controller, Zone Data Controller (XenApp) or Desktop Controller (XenDesktop), Citrix XML Service server, Web Interface server, Terminal Server or Citrix Licensing Servers, or the actual XenApp/XenDesktop server themselves. If using virtualization technologies, the hypervisor or storage may also be over capacity.

Beyond looking at the metrics, tracking down which component may be a bottleneck can be achieved through the following process:

1) If login to the Web Interface server takes a long time, it is possible that either the Web Interface server or the Domain Controller authenticating credentials is overloaded.

2) If apps/desktops take a long time to enumerate, or the ICA file takes a long time to be generated then the ZDC/XDC may be overloaded. There are a couple of ways to test this:

a. Right-click an icon in Web Interface and choosing something similar to “Save Target As…”, then measure the time it takes to start and complete the download.

b. On XenApp, check whether the “Citrix Metaframe Presentation Server / WorkItem Queue Ready Count” counter on the ZDC – if the counter goes over 2, it is likely that the system is over-utilized and adding to delays.

3) If both of these steps do not identify a problem and the connection takes a significant amount of time, it is possible that the license servers are inaccessible or overloaded (the latter being a rare occurrence). The timeout for connecting to the license server is five seconds, resulting in a possible additional five-second delay if the server is unresponsive.

4) It is also possible that the application itself is taking a long time to launch, and application-specific issues should be investigated. If a connection to a backend database or file share may be required and the end resources are overloaded or unavailable, causing the application itself to take longer to launch. The user generally just sees this step as part of the logon process, even though it occurs after all official logon steps.

5) If after connected performance on the desktop or application is sluggish as well, it may be that either the XenApp server or XenDesktop are overloaded or under-provisioned, or a component of the underlying hypervisor is causing the bottleneck.

This basic process should help in determining which component in the architecture is causing delays, such as if the cause of the issue is an overloaded component.

Page 14: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Common Issue Description Mitigation

Hardware Overloaded For any machine, if the system is over-utilized, it can result in decreased performance and increased logon times.

Monitor all infrastructure machines to ensure disk, CPU, memory, network cards and other hardware are not being over-utilized.

Unexpected Hardware Downtime

Servers will occasionally go down due to physical issues.

Monitoring and alerting software is important to notify administrators of an issue and speed up the start of the repair process.

Table 8: Common Hardware Issues

Troubleshooting Tools

Trying to determine the root cause for slow logons to a Citrix environment is not an easy task without specific tools to monitor the logon and application startup process. EdgeSight is one tool that can be used to simplify many of the troubleshooting steps mentioned previously. Not only can it provide monitoring and alerting on server and desktop resources, response times of websites and servers, and other critical factors to aid in improving performance, it also reports data that fully explores the logon process and shows detailed information for the various steps. These reports can be used by IT even without user interaction, allowing them to proactively repair issues before they become widespread problems that generate large numbers of help desk calls or user dissatisfaction. By using the “Session Startup Duration Detail” report, EdgeSight will give information on both the duration of the server side and client side startup of applications, greatly reducing the troubleshooting time required to isolate issues.

The image below gives an example of the report. It may look complex at first, but this document will go into the definitions below the image. Information shown below applies to XenApp and XenDesktop logons, which are similar but not exactly the same (time shown is in milliseconds).

Page 15: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


The above image may seem complicated, but there are several key areas to look at. First, time is broken down by Server Side Duration and Client Side Duration, which indicates whether the client computer or the server side actions (such as those mentioned above) were the cause of a long logon. Often times, wide-scale slow logons will be the result of server-side activities, and the following are important areas to check:

Credentials Authentication. This includes the time that it takes for the credentials to be verified – if this time is significant, it could indicate that the Domain Controller may be overloaded, or may have some other reason for taking a long time to respond.

Profile Load. The time here indicates the necessary time required for the profile to be loaded during the session logon.

Login Script Execution. This is the time required for GPOs to be applied and logon scripts to run.

Printer Creation. This is the amount of time that it takes to map printers.

Drive Mappings. This is the time used to connect to network drives.

A full list of the different portions can be found below:

Metric Abbreviation Meaning Actions

Session Start-up Server Duration (SSD)

This is the high-level server-side connection start-up metric that encompasses the time XenApp/XenDesktop takes to perform the entire start-up operation. When an application starts in a shared session, this metric is normally much smaller than when starting a new session, which involves potentially high-cost tasks such as profile loading and login script execution.

When this metric is high, it indicates that there is a server-side issue increasing session start times.

Client Start-up Duration (CSD)

When this metric is high, it indicates a client-side issue that is causing long start times.

Review subsequent metrics in this table to determine the probable root cause of the issue.

Table 9: EdgeSight Key Metrics

Page 16: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Metric Abbreviation Meaning Actions

Credentials Authentication Server Duration (CASD)

The time the application server spends authenticating the user's credentials against the authentication provider, which may be Kerberos, Active Directory, or a Security Support Provider Interface (SSPI).

Credentials Obtention Network Server Duration (CONSD)

The time spent by the server performing network operations to obtain credentials for the user.

This only applies to a Security Support Provider Interface login (a form of pass-through authentication where the client device is a member of the same domain as the server and Kerberos tickets are passed in place of manually entered credentials).

Credentials Obtention Server Duration (COSD)

The time taken for the server to obtain the user credentials. Because this metric may be artificially inflated if a user fails to provide credentials in a timely manner, it is not included in the Session Start-up Server Duration (SSD).

This time is only likely to be a significant if manual login is being used and the server-side credentials dialog is displayed (or if a legal notice is displayed before login commences).

Program Neighborhood Credentials Obtention Server Duration (PNCOSD)

The time needed for the server to cause the Program Neighborhood instance running on the client to obtain the user credentials.

Like the COSD metric, this metric is not included in the Session Startup Server Duration (SSD) because it may be artificially inflated if a user does not enter credentials efficiently.

Profile Load Server Duration (PLSD)

The time required for the server to load the user's profile.

If this metric is high, consider your roaming profile configuration.

Login Script Execution Server Duration (LSESD)

The time the server needs to run the user's login scripts

Consider if you can streamline this user or group's login scripts. Consider if you can optimize any application compatibility scripts or use environment variables instead.

Page 17: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Printer Creation Server Duration (PCSD)

The time required for the server to synchronously map the user's client printers. If the configuration is set such that printer creation is performed asynchronously, no value is recorded for PCSD as it is does not impact completion of the session start-up.

Excessive time spent mapping printers is often the result of the printer auto creation policy settings. The number of printers added locally on the users' client devices and your printing configuration can directly affect your session start times. When a session starts, XenApp/XenDesktop has to create every locally mapped printer on the client device.

Drive Mapping Server Duration (DMSD)

The time needed for the server to map the user's client drives, devices and ports.

Make sure that, when possible, your base policies include settings to disable unused virtual channels, such as audio or COM port mapping, to optimize the ICA protocol and improve overall session performance.

Session Creation Server Duration(SCSD)

The time the server spends creating the session. This should not be confused with the overall SSD.

The session start times issue occurs between the when client connection is established and authentication begins.

Table 10: EdgeSight Server Side Metrics

Metric Abbreviation Meaning Actions

Application Enumeration Client Duration (AECD)

Application enumeration is one of the issues slowing down session start times.

Consider if the cause is an overloaded XML Broker or Web Interface server.

Page 18: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Backup URL Client Count (BUCC)

If this metric has a value higher than 1, it indicates the Web Interface server is unavailable and the Citrix Receiver is attempting to connect to back-up Web Interface servers to launch the application.

A value of 2 means that the main Web Interface server was unavailable, but the Citrix Receiver managed to launch the application successfully using the first back-up server that it tried.

A value higher than 2 means that multiple Web Interface servers are unavailable. Reasons Web Interface servers might be unavailable include (in order of likelihood):

Network issues between the client and the server. So the administrator should make sure that the Web Interface server is on the network and accessible to the clients.

An overloaded Web Interface server that is not responding (or has crashed for another reason). Try to log on to the server and check the Windows Performance Monitor/Task Manager to see how much memory is in use and so on. Also, review the Event Logs to see if Windows logged any serious errors.

Configuration File Download Client Duration (CFDCD)

The time it takes to get the configuration file from the XML server.

Credentials Obtention Client Duration (COCD)

The time it takes to obtain user credentials. This is a good metric to subtract from other client-side metrics. Note: COCD is only measured when the credentials are entered manually by the user. Because this metric may be artificially inflated if a user fails to provide credentials in a timely manner, it is subtracted from the Startup Client Duration (SCD). This consideration is especially important if the metric is to be used for threshold alerting.

Subtract this metric from other client-side metrics.

Page 19: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


ICA File Download Duration (IFDCD)

The time it takes for the plugin (client) to download the ICA file from the server.

If IFDCD is slow (but LPWD is normal), the server-side processing of the launch was successful, but there were communication issues between the client device and the Web server. Often, this results from network trouble between the two machines, so investigate potential network issues first.

Launch Page Web Server Duration (LPWD)

Review the information for IFDCD. The LPWD metric is only used when Web Interface is the application launch mechanism. If LPWD is slow, there is a bottleneck on the Web Interface server.

Possible causes include:

High load on the Web Interface server. Try to identify the cause of the slow down by checking the Internet Information Services (IIS) logs and monitoring tools, Task Manager, Performance Monitor and so on.

Web Interface is having issues communicating with the other components, such as the XenApp server. Check to see if the network connection between Web Interface and XenApp is slow or some XenApp servers are down or overloaded. If the Web server seems okay, consider reviewing the XenApp farm for problems.

Name Resolution Client Duration (NRCD)

This metric is collected when a client device directly queries the XML Broker to retrieve published application information stored in IMA (for example, when using Program Neighborhood or a Custom ICA Connection). NRCD is only gathered for new sessions since session sharing occurs during startup if a session already exists.

When this metric is high, it indicates the XML Broker is taking a lot of time to resolve the name of a published application to an IP address. Possible causes include a problem on the client, issues with the XML Broker, such as the XML Broker being overloaded, a problem with the network link between the two, or a problem in IMA. Begin by evaluating traffic on the network and the XML Broker.

Page 20: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Name Resolution Web Server Duration (NRWD)

When this metric is high, there could be an issue with the Web Interface server or the XenApp plugin site (formerly known as the Neighborhood Agent site), the XML Service, the network link between the two, or a problem in IMA.

Like NRCD, this metric indicates how long it takes the XML service to resolve the name of a published application to a XenApp IP address. However, this metric is collected when a Web Interface site is performing this process on behalf of a launch request it has received from either the XenApp plugin (previously known as Program Neighborhood Agent) or from a user clicking a Web Interface page icon. This metric applies to all sessions launched through the Web Interface or the Citrix Online Plugin (formerly, the Program Neighborhood Agent).

Session Look-up Client Duration (SLCD)

This metric represents the time it takes to query every session to host the requested published application. The check is performed on the client to determine whether an existing session can handle the application launch request. The method used depends on whether the session is new or shared.

Ticket Response Web Server Duration (TRWD)

This metric is collected when Receiver or Web Interface is the application launch mechanism. This metric indicates the time it takes to get a ticket (if required) from the STA server or XML service

When this metric is high, it can indicate that the Secure Ticket Authority (STA) server or the XML Broker is overloaded.

Session Creation Client Duration (SCCD)

This metric represents the time it takes to create a new session, from the moment wfica32.exe is launched to when the connection is established.

Table 11: EdgeSight Client Side Metrics

Before using EdgeSight as a troubleshooting tool, begin by gathering some baseline metrics of a standard user account in the environment. This allows the administrator to have a general idea of what a “normal” user should experience when logging on to the Citrix environment, and makes it easier to identify where delays are occurring in the logon process.

Citrix Profile Management is another tool that can aid in troubleshooting long logon delays. The Profile Management logs can be used to pinpoint delays occurring in the logon process. The Profile Management log records all events that occur during the logon and logoff process. Administrators can review the logs to

Page 21: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


see which tasks are taking longer than normal to complete, and take the necessary steps to remediate. The logging feature must be enabled in order to record entries into the log.

Figure 3: Sample output of a UPM log

Optimizing the Logon Process

This section explores various ways to optimize the logon process. Citrix Consulting conducted a series of tests using EdgeSight to demonstrate the impact optimizations have on the logon process.

Note: Citrix Consulting findings are based on testing performed in the Citrix Consulting Solution Center lab, and should not be considered “standard” values for all environments. Other environments may see different results based on various factors including, hardware, operating system, and network architecture. See the Appendix section for more information on what components were used in the test environment.

Profile Load

The most significant impact to the logon process can be attributed to the size of the user profile. To show how the type of user profile impacts the logon process, Citrix Consulting conducted logon performance tests with user accounts configured with Local Profiles, Roaming Profiles with Folder Redirection, and profiles created from the Citrix Profile Management tool. The EdgeSight Session Duration Report was used to capture the data. The metrics of importance for these tests are the Profile Load Session Duration (PLSD) and Session Start-up Server Duration (SSD).

Page 22: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Test 1: Profile Size – Local Profile

Two typical workers accessing MS Word 2010 published in XenApp 6.5. Worker A has a profile size of 100 MB, and Worker B has a profile size of 50 MB. Both profiles are local to the XenApp server. Analyzing the Profile Load Server Duration (PLSD), it was determined that approximately 80% of Worker A’s total logon time was spent loading the user profile.

Figure 4: Logon time breakdown for 100 MB profile

Analyzing the total logon time for Worker B, whose profile size was 50 MB smaller, showed a 4% improvement to the profile load time. It dropped from 80% to 76% as in the graph below. However, the overall Session Startup Duration time (SSD) improved by 15%.

Figure 5: Logon time breakdown for 50 MB profile



4.30% 4.30%

3.48% 2.16%

Worker A Logon Time Breakdown










4.98% 4.25% 2.02%

Worker B Logon Time Breakdown







Page 23: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Over 75% of the entire logon process in both cases was spent loading the user profile. Citrix Consulting recommends using mandatory profiles in XenApp/XenDesktop environments, in order to control profile growth.

Test 2: Profile Size – Roaming Profiles with Folder Redirection

Worker A and Worker B have profile sizes of 100 MB and 50 MB respectively. This time though, their profiles are stored on a local file server, and Roaming Profiles with Folder Redirection is enabled. All folders are redirected to the user’s home directory on the file server.

In both cases when accessing published MS Word 2010 on the XenApp 6.5 server, the profile size was approximately 350 KB in size, as compared to the 50 MB before Roaming Profiles was enabled. The Profile Load Session Duration (PLSD) time was now smaller, around 53% of the overall logon time. The less time required to load the user’s profile resulted in a faster overall logon experience.

Figure 6: Logon Time Breakdown with Roaming Profile and Folder Redirection

In the first test, Citrix Consulting noted a 15% improvement in the overall logon time (SSD) from the 100 MB profile size to the 50 MB profile size. When Roaming Profiles with Folder Redirection was implemented, the profile size generated on the XenApp server went from 50 MB to 350 KB, and overall logon time improved by 53% over the 50 MB local profile implementation. Note: Mandatory Profiles with Folder Redirection can also be used and is preferred for XenApp/XenDesktop environments.





10.63% 4.19%

Roaming Profile Logon Time Breakdown







Page 24: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Figure 7: Local Profile compared to Roaming Profile with Folder Redirection

Test 3: Profile Size – Citrix Profile Management

Citrix Consulting analyzed the logon performance when using Citrix Profile Management 4.1. There are many configuration settings that can be applied either through the Registry or through an INI file to control the behavior of Citrix Profile Management. For this particular test, some settings of interest are

Locally cached profiles are deleted at logoff

Existing profiles are migrated to the user store

Profile streaming is enabled

Exclusion list is based on default settings from the Profile Management INI file

The same test account with the 50 MB profile was used as previously. Profile Management 4.1 was installed on the XenApp server and a UPM profile store was created on the same file server as the user’s Roaming Profile in a separate folder. When the user launched MS Word 2010, a local profile of 1.7 MB was created on the XenApp server, which is larger than the 350 KB profile previously created when Roaming Profile wit Folder Redirection was implemented. The logon time broke down the following way.








100 MB -> 50 MBLocal Profile

50 MB -> 350 KBRoaming Profile

with Folder Redirection

Logon Time Improvement

Page 25: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Figure 8: Logon time breakdown when using UPM

The Profile Load Session Duration (PLSD) is higher at 61% compared to the 53% when only Roaming Profiles with Folder Redirection was used (See Figure 6). Comparing the overall logon performances of the 50 MB local profile, the Roaming Profile, and the UPM profile is shown below.

Figure 9: UPM profile compared to Local and Roaming with Folder Redirection

Profile Management 4.1 improved overall logon time approximately 40%, which although is not as fast as the Roaming Profile implementation, it is a comparable solution for managing profiles and offer features like Profile Streaming. Citrix Consulting recommends running Citrix Profile Management in conjunction with Roaming Profiles with Folder Redirection for best performance.





6.65% 5.43%

Logon Time Breakdown








100 MB -> 50 MBLocal Profile

50 MB -> 350 KBRoaming Profile

with FolderRedirection

50 MB -> 1.7 MBUPM Profile

Logon Improvement

Page 26: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


GPO and Logon Script Processing

For the next series of test, Citrix Consulting wanted to show the impact Group Policy Objects (GPOs) and logon scripts have on the logon process. In particular Citrix Consulting analyzed the impact to the logon process when:

Logon scripts are assigned to the User account property versus assigned through the Logon Script GPO

Processing multiple GPOs with few settings versus processing few GPOs with multiple settings

Processing GPOs synchronously versus asynchronously

The EdgeSight metrics of importance for this test were the Login Script Execution Session Duration (LSESD), the Profile Load Session Duration (PLSD), and the Session Startup Server Duration (SSD).

Test 4: Logon Scripts - Assignment

Worker A has a 6 MB local profile and is launching a published MS Excel 2010 on XenApp 6.5. Worker A has a logon script assigned through the Active Directory User Account property page. The logon script calls another nested logon script. The scripts perform tasks such as mapping network drives, and assigning network and local printers.

The part of the logon process that was impacted the most was the time required for executing the logon scripts. This is reflected in the EdgeSight metric Login Script Execution Session Duration (LSESD).

With the logon script assigned through the AD User account property, LSESD took up about 5% of the user’s logon time.

Figure 10: Logon script assigned through AD User Profile

When evaluating the same scenario but applying the logon scripts through a GPO, the results are different. The LSESD metric grew to almost 20% of the total logon time.

66.10% 10.81%



5.31% 2.26%

Logon Time Breakdown







Page 27: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Figure 11: Logon script assigned through a GPO

Although the LSESD processing time went up, the average logon time (SSD) went down, which meant overall the logon time improved. Notice that the Profile Load time (PLSD) also went down, which meant the profile load time ran quicker than before. EdgeSight recorded the Profile Load time improving by over 50%, and overall logon time (SSD) improving by 16%.

Figure 12: Logon improvements when logon scripts applied as a GPO

Test 5: Logon Script Processing: Synchronous versus Asynchronous

Microsoft changed the default processing behavior of GPO logon scripts from synchronous to asynchronous with the release of Windows Server 2008. Therefore there is a direct correlation with the operating system that hosts XenApp, and the impact to the logon process when logon scripts are used. In the Citrix Consulting Solution Center lab, Windows Server 2008 R2 was used as the operating system, which meant asynchronous processing for the logon scripts applied by default.

To measure the impact of processing scripts synchronously, a GPO to enforce processing logon scripts synchronously was enabled. The GPO setting is Computer Configuration – Policies – Administrative Templates – System/Scripts – Policy – Run logon scripts synchronously. The







Logon Time Breakdown
















Logon Improvement

Page 28: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


logon times were captured using EdgeSight. Various applications were tested, with the results yielding longer logon times on an average of 4% to 8%. Administrators running XenApp environments on Windows Server 2003 may want to consider changing script processing behavior to asynchronous for better logon performance. Note: Administrators should test thoroughly before implementing this change since synchronous processing may be required for the functionality of some applications.

Test 6: Group Policies – Multiple Policies

Citrix Consulting tested the impact to the logon process when applying multiple GPOs with few settings versus applying few GPOs with multiple settings. The test scenario involves Worker A having a 6 MB profile starting a published application. Two sets of tests were involved. For the first set of tests, multiple GPOs were created and assigned to the OU where the XenApp 6.5 farm was located. For the second set of tests, the same GPOs were merged into a single GPO and applied to the XenApp 6.5 farm. The results showed a slight improvement to the logon process with the single GPO applied than with multiple GPOs, even with the same set of policies defined. The improvement fell within a range of 1%-5%. The results aligned with Microsoft’s recommendation of combining smaller GPOs to reduce logon times. (KB Article 315418)

Test 7: Group Policies – Disable Unused GPO Sections

Another recommendation from Microsoft when applying GPOs is to disable unused sections of the User Configuration or Computer Configuration policy. When these settings are disabled, they are not processed at logon resulting in a quicker startup process. This is an important setting that is often overlooked. The test results from Citrix Solution Center lab recorded the smallest profile load times (PLSD) were achieved when unused portions of the GPO were disabled. Note that this is also in conjunction with applying Roaming Profiles and Folder Redirection.

Figure 13: Average breakdown when unused portions of GPO is disabled

When evaluating the overall response times, the applications tested in the Citrix Consulting Solution Center launched consistently faster when the unused portions of the GPO were disabled.





5.66% 2.63%

MS Word Logon Time Breakdown







Page 29: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Figure 14: Logon times before and after unused GPOs are disabled

XenApp Optimizations

Various causes were listed earlier in the document for logon delays with some steps administrators can take to remediate them. This section will focus on specific optimizations that can be made to the XenApp environment to improve the logon process.

Test 8: Anonymous versus Explicit Access

Careful consideration should be taken when deciding to publish applications with anonymous access. In general, applications configured with anonymous access perform faster at logon than applications with explicit access since there is no authentication occurring. The following graph depicts test cases of launching MS Word published with anonymous access and with explicit access. In this test MS Word launched consistently within 6 seconds when using explicit access. With anonymous access the application launched within 5 seconds, however the results were not as consistent.

Figure 15: Explicit versus Anonymous Startup Times










0 2 4 6 8



s Before disablingunused GPOs

After disablingunused GPOs












0 2 4 6 8 10 12






Page 30: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


While anonymous access offers faster logons, the lack of security control may not be acceptable in many organizations. Administrators will need to decide when it would be appropriate to configure applications with anonymous access.

Test 9: Application Pre-Launch

Pre-Launch is a XenApp 6.5 feature intended to improve logon performance when starting a published application. In the Citrix Consulting Solution Center lab, two applications MS Word and MS Excel were configured as Pre-Launched applications. Logon performance was tested with Worker A who has a 50 MB roaming profile with Folder Redirection enabled. A series of tests were performed with the results captured using EdgeSight. The Session Startup Duration (SSD) metric showed on average that MS Word and MS Excel launched between 60%-65% faster when configured as Pre-Launched applications.

Figure 16: Logon Improvement when using Pre-Launched applications

The applications started automatically when Worker A logged on to Citrix Receiver, thus giving the end user experience of a fast launch every time. Administrators need to be mindful that a XenApp license is consumed for every application configured for Pre-Launch regardless if the user launches the application or not.

Other Optimizations

There are other optimizations that can be applied to the XenApp environment which can improve logon performance. Some of those optimizations include:

Editing the list of programs configured in the Registry Run and RunOnce keys

Setting the Pagefile minimum and maximum values to the same size to minimize fragmentation

Disabling Network List Services









Excel Word

Pre-Launch Logon Improvement

Page 31: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Disabling Network Location Awareness Service

Configuring a Custom Load Evaluator

Refer to the Citrix Consulting whitepaper on these optimization settings and best practices for XenApp and XenDesktop environments.


When administrators look for ways to improve the logon performance for their XenApp or XenDesktop environments Citrix Consulting testing have shown the following:

Best logon performance was achieved when implementing a profile solution that minimizes the time needed to build the user’s profile. Citrix Consulting recommends Mandatory Profiles for this reason, however if Mandatory Profiles can’t be implemented, Citrix Consulting recommends Roaming Profiles with Folder Redirection as the next best alternative.

Configuring applications to Pre-Launch in XenApp 6.5 have resulted in faster logons by up to 65%.

Several Microsoft Best Practices for Group Policy processing were covered, however ensuring that unused sections of the Computer/User Configuration Policies are disabled proved to have the greatest impact on improving logon performance.

There are other outside factors which impact logon performance as well, which were not covered as part of the testing in this document, such as network routers, switches, backend databases, etc. It is important to have tools that will evaluate all aspects the Citrix environment.

Page 32: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization



Citrix Consulting Solution Center Lab Components

The following components were used in testing the various scenarios discussed in this paper.

Software Version

Hypervisor XenServer 6

Virtual Desktop Windows 7 x86

VDI Infrastructure XenDesktop 5.6

Central Image Delivery Machine Creation Services (XD 5.6) and Provisioning Services 6.1

Application Delivery XenApp 6.5

Databases SQL Server 2008 R2

Licensing Citrix License Server 11.10

Desktop Presentation Web Interface 5.4

Monitoring EdgeSight 5.4 and Profile Management 4.1

Server OS Windows Server 2008 R2

Page 33: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization



Group Policy Preferences: Getting Started


How to Configure Application Pre-Launch in XenApp 6.5


Citrix Profile Management 4.x


How to Optimize Group Policy for Logon Performance in Windows 2000


XenDesktop and XenApp Best Practices


Installing EdgeSight 5.4 with SQL 2008 R2


How to Enable and Retrieve Profile Management Log Files


Page 34: Logon Optimization for XenDesktop and XenApp

WHITE PAPER | Logon Optimization


Product Versions

Product Version

XenDesktop 4.0 / 5.0 / 5.6

XenApp 5.0 / 6.0 / 6.5

EdgeSight 5.0-5.4

Revision History

Revision Change Description Updated By Date

1.0 Finalized Document Michael Bogobowicz, Jo Harder, Daniel Feller 2/3/2011

2.0 Updated for XenApp 6.5, XenDesktop 5.6, EdgeSight 5.4

Ed Duncan, Andy Baker 4/6/2012

About Citrix

Citrix Systems, Inc. (NASDAQ:CTXS) is a leading provider of virtual computing solutions that help companies deliver IT as an on-demand service. Founded in 1989, Citrix combines virtualization, networking, and cloud computing technologies into a full portfolio of products that enable virtual workstyles for users and virtual datacenters for IT. More than 230,000 organizations worldwide rely on Citrix to help them build simpler and more cost-effective IT environments. Citrix partners with over 10,000 companies in more than 100 countries. Annual revenue in 2011 was $2.20 billion.

©2012 Citrix Systems, Inc. All rights reserved. Citrix®, Access Gateway™, Branch Repeater™, Citrix Repeater™, HDX™, XenServer™, XenApp™, XenDesktop™ and Citrix Delivery Center™ are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners.